Page 3 of 7

Posted: Tue Dec 21, 2004 9:13 pm
by romdev
We changed the code as suggested in the viewtopic.php file and now I have a mess:


Posted: Tue Dec 21, 2004 9:27 pm
by CLee
mikelhall wrote: So, my question would be, HOW would you stop your site from being vandalized while working on the upgrade? I have to do it manually, since I use a heavily modded site. Would changing the php dir work? I need it live to test the changes!

Install an unmodified 2.0.10 board temperary while you reinstall the MODs.
I applied the Viewtopic fix to my 2.0.4 installation and was STILL attacked. FYI

There are other exploits in 2.0.4 that have been fixed in succeeding versions. There is a good chance that you were hacked using one of those.

Posted: Tue Dec 21, 2004 9:54 pm
by TekFi
dhn wrote:
brakkums wrote:Will my site be safe if I just make this change?

You will be safe from this worm, yes. This fix is included in 2.0.11, so users who were wise enough to update are already protected.

However, if you did not yet update to 2.0.11, please do it now. Just applying the fix while running and older version might still allow intruders to get into your forum.

I've just found this thread, but can't upgrade for a couple of weeks. I applied the above fix before I came away.

How worried should I be? Should it hold until I return in a fortnight?

Posted: Tue Dec 21, 2004 11:40 pm
by Mana
I am quite confused.
I run phpBB 2.0.8 and my host urgently advised me to upgrade to 2.0.11 and said they will upgrade to PHP version 4.3.10 and Zend Optimizer asap.
I was happy when I got the board running with one or two mods, I have no clues about the whole code stuff.

I assume I do have to upgrade .. does it mean taking the old one down and start from scratch?
Is there a tutorial how to upgrade? What will happen to the mods, I have to do all the changes again after upgrading, right?
Should I keep the 2.0.8 just running and install a newer version as new one, do all the mods and changes and then just take the old one down?
Which files/directories must be saved if i want to keep the user database and my settings .. ?

That stuff gives me a headache. :(


Posted: Tue Dec 21, 2004 11:47 pm
by fearless_fred
If you only have two MODS, it won't be a problem re-installing them. So your best (and easiest, in my opinion) bet is to just download the "changed files only" download for your version (2.0.8. to 2.0.11). Upload those files to your forum directory, overwriting the old files. Then run the "upgrade to 2.0.11.php" and you should be done. It really is not a problem with just two MODS. Check whether they are new versions of your MODs while you're at it. Then take them and re-install them on your forum.

Someone correct me if I'm talking crap! ;)


Posted: Wed Dec 22, 2004 12:31 am
by YLA G
heeeeeeelppp :(

having the same shit even the backup servers are altered

Posted: Wed Dec 22, 2004 12:58 am
by Beth
brakkums wrote:
Will my site be safe if I just make this change?

You will be safe from this worm, yes. This fix is included in 2.0.11, so users who were wise enough to update are already protected.

This is not a factual statement.
Those with both the upgrade AND the highlight exploit fix are getting hit.
I have seen NO fix as of this posting....

Can the guys who have created the "stop" file chime in from time to let us know how it's going..please?


Posted: Wed Dec 22, 2004 1:05 am
by Drexion
The source of the worm is available, it does take advantage of the highlight exploit which has been fixed fixed in 2.0.11 for quite some time. If you have upgraded to 2.0.11, your forum should not be affected by this worm.
However, if your forum was compromised BEFORE you upgraded, after you upgrade there may be malicious files left on your webspace placed there by these outsiders. So check your webspace for suspicious files.

Additionally, on your forum ensure that no extra admins have been set. This query will list all admins,

Code: Select all

SELECT username FROM phpbb_users WHERE user_level = 1;

Posted: Wed Dec 22, 2004 1:35 am
by Spectral Dragon
Stupid me didn't upgrage in time, so the worm got me and now I am left with a nearly blank board, and a database that won't work. I tried restoring my board to a month-old database but it's not working! Is this because the database was made when I had the board in 2.0.10 and the board is now 2.0.11? The site had a bit over 3000 posts when It got attacked.

Posted: Wed Dec 22, 2004 3:02 am
by salty78
My friend's forum got nailed today.

Posted: Wed Dec 22, 2004 3:11 am
by CLee
Not to sound cold or anything, but get him to fix it. There are already plenty of topics on this forum explaining how to recover. While I don't speak for anyone else but myself, I'm sure that there are plenty of people who are getting tired of these "I've been hacked" reports over and over and over and over and over and. . . when the easiest thing for the victim to do is to read the anouncements and what has already been posted.

Posted: Wed Dec 22, 2004 3:24 am
by salty78
Did you see me complaining? I don't and I'm not looking for support either. His site is in quite good condition. I was just posting here to add to the growing list of sites that have been nailed. Perhaps you should read more carefully.

The Bottom Line

Posted: Wed Dec 22, 2004 3:33 am
by blujay
Is a server running phpBB < 2.0.11 and PHP >= 4.3.10 vulnerable?

A site of mine got hit yesterday. We do not run phpBB, we run vBulletin. (Nothing against phpBB, it wasn't my decision, anyway.) We are on a shared server. Many, but not all, of our files were overwritten. Some directories were left untouched, while others were hit completely, with no apparent rhyme or reason to the choices.

Our host was running PHP 4.3.4, IIRC. They are now running PHP 4.3.10.

Here's the problem: If I understand this worm correctly, since we don't run phpBB, it didn't come in through our site, but another site hosted on the server that runs phpBB. I have spent quite a while reading what I can find about the worm, but little or none of it is definitive.

Bottom line: Is a server running phpBB < 2.0.11 and PHP >= 4.3.10 vulnerable?

If so, then the site on the server that is running phpBB must upgrade, or we could get hit again.

On a similar note, let's get down to the nitty gritty about this worm. From what I've read, it exploits the highlight vulnerability in phpBB < 2.0.11; is that correct? Many people think it exploits one of the recently-discovered PHP vulnerabilities, but others think it exploits the phpBB highlight vulnerability. Can anyone here say definitively one way or the other? Can upgrading PHP to 4.3.10 protect against this?

Thanks in advance for any help.

Posted: Wed Dec 22, 2004 3:38 am
by salty78
The only thing I know is that my webhost upgraded to PHP 4.3.10 before this started and I have yet to be hit by this worm. I also upgraded to 2.0.11 immediately after it was released. So, my unscientific answer is no to being vulnerable.

Posted: Wed Dec 22, 2004 3:39 am
by cdllt
My server got this worm hit hard! :twisted: :twisted: